On Mar 24, 2015, at 4:55 PM, Michael StJohns <msj@nthpermutation.com> wrote:
On 3/24/2015 5:41 PM, Wessels, Duane wrote:
- Special case in recursive resolver code for this name/type
Yes - unclear how large scale of a problem this might be.
Yes, I would like to hear from implementors.
- I'd expect to see "IN/./DS" queries become used in DDoS attacks
Probably not. Basically, the root trust anchor set is pseudo-static. It changes, but over long long time. This is no worse than retrieving any other static data record given smart programming.
I don't think it matters whether or not its static. What matters is if attackers would be able to rely on it and find it useful. I guess the amplification factor is not significant, so maybe this point is not worth worrying about.
- Some (incorrect) implementations would almost certainly forward these to the roots.
If the "recurse" flag isn't set and the resolver is forwarding queries then you have a different problem.
I'd say we have that problem today.
- Doesn't work for stubs.
You mean because they don't actually answer external queries. Probably not a big issue.
I'm not so sure. If we expect validation to be pushed out to applications then this becomes important.
Or an EDNS extension whereby a client can transmit its trust anchor/DS keytag(s) along with a DNSKEY query? This could work for all zones, not just root, but I suppose it assumes the validator knows the DS before it makes the DNSKEY query (top-down vs bottom-up).
Thought about this for a few minutes and decided it was probably a non-starter due to the possible size of the responses. There's also this problem that the resolver may be gleaning data (e.g. the non-cached DNSKEY) from upstream when what we really want is the current state of the server-local trust anchor set.
What I proposed shouldn't affect responses. It would only be present in queries, and just a few extra bytes I think (EDNS option code, length, keytag). This would only work for measuring stubs if we made the recursives forward the option for cache misses. DW